Why Fortinet Products Keep Appearing in Security Advisories

Fortinet firewalls are everywhere, reportedly accounting for over half of all firewall units shipped worldwide. But with that dominance comes scrutiny, and in recent years Fortinet has faced more critical vulnerabilities (CVEs) than almost any other security vendor.

This post looks at why Fortinet products are so often affected, digging into the root causes in their code, development practices, and architecture. We’ll also compare Fortinet’s track record with major competitors like Palo Alto Networks and Cisco, using historical CVE data from the last several years.

Potential Root Causes of Frequent Fortinet Vulnerabilities

Broad, Complex Codebase and Legacy Components

Fortinet’s flagship product, FortiOS, is a huge, all-in-one operating system that powers firewalls, VPNs, intrusion prevention, anti-malware, web filtering, and more. This broad feature set naturally expands the attack surface, making bugs more likely.

In some cases, FortiOS has relied on outdated or third-party code. A recent disclosure revealed Fortinet was still using an Apache “apreq” library nearly 25 years old, with known memory safety issues. This introduced critical flaws that could allow remote code execution (RCE) or denial-of-service (DoS) if exploited.

Another example is Fortinet’s FortiClient endpoint software, which was still using an old version of the Electron framework in 2023–24. It lacked modern sandboxing and had known vulnerabilities. On top of that, Fortinet didn’t follow Electron’s recommended security practices, accidentally introducing critical flaws.

Development Practices and Quality Assurance

Fortinet says it runs a strict Secure Development Lifecycle. The company claims around 80% of the vulnerabilities reported in 2023 were found internally, before any external researcher spotted them.

That shows Fortinet is investing in testing and auditing, but it also explains why their CVE numbers look so high. They publicly disclose almost everything they find, while some competitors quietly patch issues without publishing CVEs. Fortinet calls this “radical transparency.”

Still, the fact remains that so many flaws exist in the first place. Many of Fortinet’s most serious bugs are memory corruption issues (like buffer overflows) in low-level C/C++ code. This points to a history of performance-focused development where secure coding practices such as strict input checking and bounds enforcement sometimes took a back seat.

To their credit, Fortinet has now signed on to CISA’s Secure-by-Design pledge, committing to improvements like eliminating default passwords and enabling auto-updates by default.

Architectural Factors and Attack Surface

Fortinet devices expose a wide range of services on their interfaces, including SSL-VPN portals and web management UIs. Each of these is an attack entry point.

SSL-VPN, in particular, has been a repeat offender. Notable vulnerabilities include:

• CVE-2018-13379: Path traversal flaw, allowed unauthenticated file downloads

• CVE-2020-12812: Authentication bypass

• CVE-2023-27997: Heap buffer overflow in SSL-VPN

Because VPN is tightly integrated into FortiOS, any flaw there risks compromise of the entire firewall. Competitors like Palo Alto or Check Point often use a more segmented architecture, reducing this kind of blast radius.

On top of this, Fortinet’s huge install base makes it a prime target. In 2021, the FBI and CISA issued warnings about attackers actively scanning for and exploiting unpatched Fortinet devices. When millions of appliances are exposed to the internet, every bug becomes more attractive to adversaries.

Comparison With Other Vendors

Fortinet isn’t alone in having vulnerabilities, but the numbers stand out:

Cisco has a high raw count, but that’s across hundreds of products. Fortinet’s 198 CVEs in 2023 were concentrated mainly in FortiOS and related tools, far higher density than competitors. By contrast, Palo Alto reported only around 20 CVEs that year.

Key Takeaways

Fortinet’s frequent CVEs come down to:

• A large, complex codebase with some outdated components

• Development practices that historically prioritised features and performance over strict safety

• An architecture with exposed services (especially SSL-VPN)

• A massive install base, making them a prime target

The company’s proactive disclosure inflates their numbers compared to peers, but that’s a double-edged sword. Customers benefit from faster patches, but also face frequent patch cycles and higher operational overhead.

For NZ businesses, the lesson is clear:

• Don’t assume your firewall alone makes you secure

• Always apply Fortinet patches promptly

• Use layered defences, and consider penetration testing or config reviews to validate controls

Fortinet’s reputation has taken hits from its CVE count, but with its Secure-by-Design commitments and continued transparency, there’s hope that future versions of FortiOS will see fewer critical flaws. Until then, vigilance is key.

Sources

• Fortinet PSIRT: Secure-by-Design Commitment – Fortinet’s blog on development lifecycle and vulnerability disclosure.

• Fortinet PSIRT Advisories – Monthly advisories covering FortiOS, FortiGate, and other products.

• CISA/FBI Alert: Exploitation of Fortinet Vulnerabilities – Warning about Fortinet SSL-VPN exploits in the wild.

• CVE Details: Fortinet, Cisco, Palo Alto Networks – CVE databases with historical vulnerability counts.

• Dark Reading – Fortinet Products in Crosshairs Again – Recent reporting on Fortinet vulnerabilities.

• SecurityWeek & BleepingComputer – Coverage of Fortinet SSL-VPN and FortiOS flaws.

• Reddit: r/networking – Fortinet CVE discussions – Community perspectives on QA vs. disclosure practices.